With Perfect Privacy, you have the option of encrypting your Internet traffic up to 4 hops - and by using proxy servers and SSH tunnels even more!
Such cascading comes at the cost of slower speed, but it offers two significant advantages:
First, you can choose your entry and exit node separately. That is useful if you stay in countries that only allow connections to domestic IP addresses. Once you have established a VPN connection to a server within the country, you can cascade your connection and exit on a server outside the country. This way you can circumvent nationwide imposed censorship (e.g., as done in China) with VPN.
The second advantage is protection against certain more sophisticated attacks and this way increasing security and anonymity of the VPN user.
A cascaded connection generally complicates traffic correlation: if you only use a single VPN server, the Internet Service Provider (ISP) (or a listening attacker) can see which server you are connecting to. If an eavesdropper also has access to the data center with the VPN server and sees the outgoing traffic, he can try to correlate the incoming and outgoing traffic to identify the user. Of course, the more users connect to the same VPN server, the more difficult this attack becomes.
With a cascaded connection this type of attack becomes much more difficult because while the ISP/eavesdropper still knows the VPN entry node of the user, it does not know on which server the traffic exits. He would need to monitor all VPN servers and take a guess at which exit node the user is using. That makes it next to impossible to identify users by traffic correlation successfully.
Also, it is theoretically possible that an attacker has physical access to the VPN server in the data center. In that case, he can execute a de-anonymization attack on the VPN user. A cascaded connection protects against this attack vector: Since the user’s traffic is encapsulated with an additional layer of encryption for each hop in the cascade, no traffic can be read or correlated with incoming traffic.
The attacker would still see outgoing encrypted traffic to another VPN server, but he cannot determine whether this is a middle or exit node. To successfully intercept and decrypt the traffic, the attacker would need to have physical access to all hops in the cascade simultaneously. That is practically impossible if the hops are in different countries.
By the way: Not every VPN provider that offers cascaded or multi-hop connection is providing a fully encrypted cascade: Some providers just forward your traffic to another VPN server, without an additional layer of encryption. That doesn't protect against beforementioned attacks because the traffic can still be read on the entry node. If in doubt, you should ask your VPN provider how cascaded connections are implemented.
You first establish a connection to a VPN server of your choice, for instance, oslo.perfect-privacy.com. Then you connect to an additional server, e.g., montreal.perfect-privacy.com. In the same manner, you then add further hops, in our example bucharest.perfect-privacy.com and singapore.perfect-privacy.com. If the servers used in the cascade support IPv6 you also have a full dual stack IPv4 & IPv6 connection.
In that setup, your ISP can see that you send encrypted traffic to a server in Panama, but your actual traffic exits in Singapore since all packets are being relayed from Sao Paulo over Montreal and Bucharest and to Singapore before they enter the Internet.
$12.99 billed for one month
€12.99 billed for one month
billed for one year
billed for one year